Cisco VPN Integration Guide

This guide describes the configuration method for integrating CISCO VPN products with Genian NAC, a network access control system.

Guide Overview

CISCO VPN provides users with AnyConnect software for VPN connection, allowing them to access the VPN gateway, undergo an authentication process, and then connect to the internal network.

Genian NAC provides visibility, network access control by user privileges, and endpoint security integrity control methods for endpoints residing in the internal network to manage internal security.

This integration was performed to allow VPN users to connect after checking if they satisfy the security policies implemented by Genian NAC's features, by integrating the functionalities provided by each solution.

Purpose of Integration

The integration of Genian NAC and CISCO VPN aims for the following:

Security Integrity Check of VPN Connected Endpoints

  • Information for VPN connected endpoints is collected only for the portion provided by the VPN-Gateway. However, when integrated with Genian NAC, Genian NAC provides the integrity information of the connected endpoint.

Control based on Security Integrity Results of VPN Connected Endpoints

  • Through the integration of CISCO VPN and Genian NAC, the security integrity of VPN connected endpoints is assessed before they enter the internal network. If a threat exists, network access is blocked.
For endpoints that passed the security integrity check at the time of connection but later violate integrity, the network is blocked to help re-establish integrity, and then security integrity is re-secured.

Introduction to Integration Scenarios

../_images/int_cisco_process.png

[Upon Initial Connection]

  1. User attempts to connect to CISCO VPN Gateway using CISCO AnyConnect
  2. CISCO VPN Gateway designates Genian NAC's RADIUS as the user authentication server and applies a blocking policy (only CWP access is allowed for connected endpoints).
  3. Genian NAC attempts to install the NAC Agent on the connected endpoint and checks if the endpoint meets security integrity requirements.
  4. If security integrity is met, a request to grant an AllowAll policy is sent to the CISCO VPN Gateway (CoA).

=> Network access for the VPN connected endpoint.

[When a Connected Endpoint Violates Security Integrity]

  1. Genian NAC's Agent checks the security integrity of the connected endpoint and sends violation information to Genian NAC Policy-Center.
  2. Genian NAC applies a blocking policy based on the integrity violation.
  3. A request to apply the blocking policy is sent to the CISCO VPN Gateway (CoA).

=> The session is terminated, and the process moves to step (3) of the initial connection to proceed through subsequent steps.

Prerequisites

Setting a Secret Key between Genian NAC RADIUS and CISCO VPN Gateway

The integration configuration presented in this guide sets the CISCO VPN Gateway's authentication server to Genian NAC (RADIUS), so all VPN users attempting to connect are authenticated by Genian NAC RADIUS.

A Secret Key is used to ensure a secure connection between the two devices.

CISCO VPN Gateway Prerequisites

Verify the VPN version that supports Change of Authorization (CoA).

Recommended versions are as follows:

Device Name Version Notes
CISCO ASA 9.12(4) or higher VPN Gateway
CISCO ASDM 7.13(1) or higher CISCO Management Tool

Networking Prerequisites

Confirm communication between Genian NAC Policy Center and CISCO VPN Gateway.

Default ports are as follows:

Service Name Port Purpose
RADIUS 1812(UDP) Authentication protocol
RADIUS 1813(UDP) Accounting protocol
CoA 3799(UDP) CoA(change of authorization)

CISCO VPN Configuration for Integration

(CISCO VPN Gateway configuration was performed using Adaptive Security Device Manager (ASDM))

Step 1: Create Policies

In ASDM, go to Configuration > ACL Manager, then click Add to create the following two policies:

Policy Name Source Destination Allowed Services
AllowAll VPN connected endpoints that have passed Genian NAC authentication Business network, Infrastructure Business service ports
Redirect All VPN connected users Only Genian NAC's guide page is accessible http, https

AllowAll Policy: If a VPN connected endpoint complies with the security integrity set in Genian NAC, it will be granted this policy (Allow).

Redirect Policy: This is the Redirect rule to be applied upon initial VPN connection and when security integrity is violated. By this policy, endpoints connected via VPN and those that violate security integrity will have all connection attempts redirected to Genian NAC's CWP (User Guide Page) only.

Step 2: Configure External Authentication Server Integration

Go to Configuration > Remote Access VPN > Network(Client) Access > AnyConnect Connection Profiles and specify the Access interfaces.

Configuration Item Setting Value Notes
Access interfaces Enable CISCO AnyConnect VPN Client  
Outside SSL Access Enable  

Next, in the Basic menu, configure Authentication as follows:

Configuration Item Setting Value Notes
widths:25 20 55
   
Method AAA  
AAA Server Group GNAC  

In the Advanced menu, set the Accounting Server Group to GNAC.

Step 3: Configure CoA (Change of Authorization)

Go to Configuration > Remote access VPN > AAA/LocalUsers > AAA Server Groups and create the GNAC server group. Configure as follows:

Configuration Item Setting Value Notes
Server Group GNAC Fixed Value
Protocol RADIUS Fixed Value
Accounting Mode Single Select Single
Reactivation Mode Depletion Select Depletion
Dead Time 10 Enter '10'
Max Failed Attempts 3 Enter '3'
Enable dynamic authorization Check Check
  • dynamic Authorization Port
 3799 ISE Policy Enforcement

Genian NAC Configuration for Integration

Step 1: Create Node Groups for VPN Connected Endpoint Management

Go to Policy > Group > Node, then click Create to create the following 3 node groups.

Create node groups to manage endpoints connecting via VPN by their status. (In Genian NAC, a node group is a unit of node management.)

  1. Create a node group for VPN connected nodes (VPN access policy)

This group targets all endpoints connected via VPN. Configure with the following conditions:

Configuration Item Setting Value Notes
Condition Operator '(AND) If all conditions below are met' selected  
Condition Settings > Add > Connection Device/Port 'If connection type is same', 'Virtual IF' selected respectively  
Condition Settings > Add > Authenticated User 'Authentication Type', 'RADIUS Authentication' selected respectively  
  1. Create a node group for VPN connected nodes meeting security integrity (VPN Compliance)

This node group is for verifying security integrity check elements to be applied to VPN connected endpoints. In this guide, it describes an example of Genian NAC agent operation status and antivirus information presence. Please add security integrity requirements according to your company's security policies for VPN connected users.

Configuration Item Setting Value Notes
Condition Operator '(AND) If all conditions below are met' selected  
Condition Settings > Add > Node Group 'If belongs to', 'VPN access policy' selected respectively  
Condition Settings > Add > Agent Status 'Operation Status', 'Up' selected respectively Security integrity check element 1
Condition Settings > Add > Antivirus Info 'Antivirus Info Existence', 'Exists' selected respectively Security integrity check element 2
  1. Create a node group for VPN connected endpoints not meeting security integrity (VPN NonCompliance)

This group is for controlling VPN connected endpoints that violate security integrity.

Configuration Item Setting Value Notes
Condition Operator '(AND) If all conditions below are met' selected  
Condition Settings > Add > Node Group 'If belongs to', 'VPN access policy' selected respectively  
Condition Settings > Add > Node Group 'If does not belong to', 'VPN Compliance' selected respectively  

Step 2: Create Enforcement Policies for VPN Connected Endpoint Management

Go to Policy > Enforcement Policy, then click Create to create the following 2 node groups.

Genian NAC uses enforcement policies to assign network usage rights to connected endpoints. To grant different permissions based on VPN security integrity, create separate enforcement policies. (Genian NAC policies are applied in order.)

  1. Create a policy for unverified security integrity

This policy is applied when a VPN user makes an initial connection or when a connected user violates security integrity. It allows access only to Genian NAC's guide page (CWP).

Configure as follows (set this policy above the policy for endpoints with secured security integrity):

Configuration Item Setting Value Detailed Setting
Node Group Settings VPN Non-Compliance Must satisfy both of the following 2 conditions. (1. Belongs to VPN access policy node group 2. Does not belong to VPN Compliance group)
Authorization Settings PERM-DNS Permission to access only Genian NAC CWP
RADIUS CoA Settings Select 'On' Use CoA
CoA Commands Reauthenticate host (CISCO VSA) Reauthentication request
  1. Create a policy for verified VPN security integrity

Create a policy for normal network utilization after the security integrity verification of a VPN connected endpoint is completed.

Configure as follows:

Configuration Item Setting Value Detailed Setting
Node Group Settings VPN Compliance Must satisfy all of the following 3 conditions. (1. Belongs to VPN access policy node group 2. NAC Agent must be operating 3. Antivirus information exists)
Authorization Settings PERM-ALL Network access permission setting
RADIUS CoA Settings Select 'On' Use CoA
CoA Commands Use vendor-specific-attribute(VSA) Note. CoA varies by manufacturer
Vendor-SpecificAttribute Cisco-AVPair=ACS:CsicoSecureDefined-ACL=AllowAll Note. Apply AllowAll configured in CISCO ASA previously

Note: If an endpoint that has passed security compliance and is subject to the policy below experiences a security violation, the unverified security integrity policy will be re-assigned.

Step 3: Create RADIUS Policies

Go to Policy > RADIUS Policy and utilize the default applied settings.

This is the process of configuring the RADIUS server for user authentication upon VPN connection.

To utilize the integration function, you only need to configure two of the default RADIUS policies: VPN_NonCompliant and VPN_Compliant.

  1. RADIUS Policy: Modify VPN_NonCompliant Policy

Modify/add the default RADIUS policy for initially connected VPN users and VPN users who have violated security integrity as follows. (Recommended settings are pre-entered)

Set the conditions as follows:

Attribute Condition Value Notes
NAS-Port-Type If attribute value is same Virtual  
Calling-Station-id If included in node group Compliance Violation Node Default node group
Condition Operator   '(AND) If all conditions are met' selected  

Set the policy as follows. (If conditions are met, the policy will be applied)

Policy Name Value Notes
Cisco-AVPair (url-redirect-acl) If attribute value is same  
Cisco-AVPair (url-redirect) https://a.b.c.d/CWP2 (Policy Server IP/cwp2) Due to this policy, the default connection URL for connected endpoints is set to Genian NAC's CWP
  1. RADIUS Policy: Modify VPN_Compliant Policy

Modify the default RADIUS policy for users who meet security integrity conditions as follows. (Recommended settings are pre-entered)

Set the conditions as follows:

Attribute Condition Value Notes
NAS-Port-Type If attribute value is same Virtual  
Calling-Station-id If not included in node group Compliance Violation Node Attention to condition
Condition Operator   '(AND) If all conditions are met' selected  

Set the policy as follows. (If conditions are met, the policy will be applied)

Policy Name Value Notes
Filter-id AllowAll Allow network access for connected endpoints with secured security integrity

Step 4: Create RADIUS Service

Go to Policy > Service > RADIUS Server and configure.

This is the process of configuring the RADIUS service for user authentication upon VPN connection.

  • RADIUS Secret Settings

Click Client Settings > Add and configure as follows. (RADIUS server connection prerequisite settings)

Configuration Item Setting Value Notes
Name CISCO-VPN CISCO VPN Connection Client
IP/Subnet 192.168.50.0/24 Connection IP Address/Subnet
CoA Port Number 3799 Default value is 3799 (can be changed)
Authentication Key Secret-key Shared key with CISCO ASA

This guide describes a configuration where connections are made via CISCO ASA VPN, so settings for CISCO VPN, Network Access Server (NAS) are configured.

For the rest of the RADIUS server settings, default values can be used.

CISCO VPN and Genian NAC Integration Configuration Complete

The configuration for integrating CISCO VPN and Genian NAC has been completed.

To test for normal operation,

Confirm that the node group of the VPN connected endpoint and its node group when checking security integrity verification status have changed. If the node group has changed, the integration settings have been successfully applied.

How to confirm:

  1. You can check the enforcement policy that the VPN connected endpoint is subject to under Policy > Enforcement Policy, or
  2. You can confirm that the group and applied policy of the VPN connected endpoint have changed under Management > Node.

Work completed.